CN109076075A - Access corporate resources - Google Patents

Access corporate resources Download PDF

Info

Publication number
CN109076075A
CN109076075A CN201780024479.4A CN201780024479A CN109076075A CN 109076075 A CN109076075 A CN 109076075A CN 201780024479 A CN201780024479 A CN 201780024479A CN 109076075 A CN109076075 A CN 109076075A
Authority
CN
China
Prior art keywords
response
application
mobile device
certificate
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201780024479.4A
Other languages
Chinese (zh)
Other versions
CN109076075B (en
Inventor
巴拉苏巴拉曼亚姆·加图
孟德尔·埃利奥特·斯宾塞
罗伯特·洛恩·鲍尔曼
克林·马吕斯·博日茨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BlackBerry Ltd
Original Assignee
BlackBerry Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BlackBerry Ltd filed Critical BlackBerry Ltd
Publication of CN109076075A publication Critical patent/CN109076075A/en
Application granted granted Critical
Publication of CN109076075B publication Critical patent/CN109076075B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

It can be used for accessing the system, method and software of corporate resources.In some respects, the certificate for being used to access the corporate resources at one or more ISPs (SP) from EMM server is received at enterprise mobility management (EMM) client on the mobile apparatus.Application in certification request slave mobile device is sent to Identity Provider.In response to certification request, authentication challenge is received from Identity Provider.Authentication challenge includes certificate request.In response to authentication challenge, authentication response is sent from application.Authentication response includes certificate.Authorization token is received from Identity Provider.Whether authorization token instruction Identity Provider demonstrates certificate and mobile device.

Description

Access corporate resources
Prioity claim
This application claims the priority for the 15/060th, No. 466 U.S. Patent application that on March 3rd, 2016 submits, wholes Content is incorporated herein by reference.
Background technique
This disclosure relates to access corporate resources.In some cases, it is attempting to be taken by network from ISP When business, the application in mobile device can send the request of access resource to ISP.If using this is authorized to Resource, then ISP can permit the access.
Detailed description of the invention
Fig. 1 is the schematic diagram for showing the example communication system of access corporate resources.
Fig. 2 is the flow chart for showing the instantiation procedure for accessing corporate resources.
Fig. 3 is the block diagram for showing example mobile device.
Fig. 4 is the flow chart for showing the exemplary method for accessing corporate resources.
Identical appended drawing reference and title indicate identical element in each attached drawing.
Specific embodiment
In some cases, the access to the resource of ISP can be limited.For example, can by login process come Realize the limitation to resource.During login process, the certification request of the user can be prompted username and password.If verifying Username and password, then can permit user to access the resource.
In some cases, user can be for each application execution login process of request limited resources.It manages multiple Username and password may have a negative impact to user experience.In some cases, single-sign-on (SSO) mistake can be used Journey.During SSO process, user can be to the multiple using one group of use of request limited resources associated with public entities Name in an account book and password.For example, one group of username and password can be used from multiple enterprise's application access associated with enterprise in user Resource in one enterprise.During SSO, when an attempt in enterprise's application accesses corporate resources, it can prompt User inputs identical username and password.In some cases, user name or password can store the file system in equipment In, for example, cache or cookie, therefore can be retrieved in the case where no further user inputs.But file system System may not be a part of security context, therefore be easy the attack by malicious application.
In some cases, zero login (ZSO) process can be used for further improving user experience.It, can be with during ZSO User is authenticated in the case where not inputting user name or password.In some cases, during ZSO process, work as movement When application in equipment requests corporate resources from ISP (SP), SP can redirect requests to Identity Provider (IDP).IDP from application request certificate and can send the certificate to SP and be verified.In some cases, safety can be used Key holder's theme in assertion markup language (SAML) statement confirms field to send certificate.SP can verify certificate and phase Answer the access of ground approved applications.In these cases, SP can be customized to verify the certificate sent from IDP.For example, IDP can be with Software Development Kit (SDK) is provided to SP, and SDK can be used to realize credentials verification process in SP.Alternatively or separately Other places, application packages can be used for verifying certificate.In these cases, extension of the application packages by certification authentication can be used in IDP It is sent to SP, executes certification authentication so that extension can be used in SP.But it is multiple using the realization that these methods may will increase SP Polygamy.In some cases, SP can provide service for different enterprises, and each enterprise uses different IDP.These or its In the case of him, SP can realize different customizations for the certification authentication of these differences IDP.
In some cases, the enterprise mobility of the mobile device of management specific enterprise can be utilized during facility registration (EMM) server is managed to provide the certificate of the resource of (provision) for accessing specific enterprise.Certificate can by with it is specific The associated IDP signature of enterprise, and the certificate after signature can be sent to mobile device by EMM server.Certificate can be deposited In the security context of storage on the mobile apparatus, and by being authorized to resource associated with specific enterprise in mobile device Using accessing.The application of request corporate resources can send IDP for certificate in the Handshake Protocol between application and IDP. IDP can verify certificate and mobile device.Fig. 1-4 and associated description provide the additional detail of these realizations.
This method can provide one or more advantages.For example, SP can determine to avoid the certification authentication for different IDP System, therefore realization complexity can be reduced.In addition, equipment or user can also be verified other than the application of request resource, because Security levels can be improved in this.Furthermore, it is possible to manage certificate in the security context for providing Additional Protection.
Fig. 1 is the schematic diagram for showing the example communication system 100 for providing the access to corporate resources.Example communication system 100 include mobile device 102, by wireless communication network 110 and ISP (SP) 130, enterprise mobility management (EMM) server 140 and Identity Provider (IDP) 150 are communicatively coupled.
SP 130 indicate can be configured as provide corporate resources application, using collection, software, software module, hardware or A combination thereof.Corporate resources may include file system, website, portal or be to provide enterprises service and any other defined money Source.In some cases, it can permit the application access corporate resources being verified.Fig. 2-4 and associated description provide These additional details realized.
IDP 150, which indicates can be configured as, identifies the application of entity, using collection, software, software module, hardware or its group It closes.In some cases, IDP 150 is referred to as Identity claims supplier.IDP 150 can access enterprise's money with checking request The application in source simultaneously states that the application is certified to SP 130.In some cases, IDP 150 can also verify associated with requesting User or mobile device.Fig. 2-4 and associated description provide the additional detail of these realizations.
EMM server 140 indicates to can be configured as the application of management enterprise and the application of equipment, using collection, software, soft Part module, hardware or combinations thereof.For example, the licensing of enterprise's application can be installed, update and be managed to EMM server 140.One In a little situations, EMM server 140 may include the application shop for enterprise's application.In some cases, EMM server 140 It may include the database of the licensing status of the user and mobile device for accessible corporate resources.
Example communication system 100 includes mobile device 102.As shown in Figure 1, mobile device include EMM client 122, it is clear Device 124, enterprise are look at using 126, frame 132 and cipher key store 134.
EMM client 122 indicate can be configured as management mobile device 102 on enterprises service application, using collect, Software, software module, hardware or combinations thereof.In some cases, application programming interfaces (API) can be used in EMM client 122 It configures enterprise and applies 126.
In some cases, EMM client 122 can be communicated with EMM server 140 to manage in mobile device 102 Corporate resources access.In some cases, certificate can be used for the application of certification request access corporate resources.In some feelings Under condition, certificate can be obtained during the registration of mobile device 102.
In one example, during registration, privately owned-public keys pair is can be generated in EMM client 122.EMM client 122 can send Certificate Signature Request to EMM server 140.Certificate Signature Request includes the public keys generated.EMM service Certificate Signature Request can be forwarded to IDP 150 by device 140.In some cases, EMM server 140 can also be with IDP 150 Certificate Signature Request send additional information together, for example, information associated with mobile device 102, be used for mobile device 102 The user identifier of user, the associated enterprise identifier of enterprise, the use of mobile device 102 that are managed with EMM server 140 The right of the corporate resources of family access mobile device 102, or combinations thereof.IDP 150 can be used to be connect in Certificate Signature Request The public keys of receipts is the preparation certificate of mobile device 102, such as is signed using the private cipher key pair certificate of IDP150, and will Certificate after signature is sent to EMM server 140.EMM server 140 can forward the certificate to EMM client 122.
Frame 132 indicate can be configured as management mobile device 102 on operating environment application, using collection, software, Software module, hardware or combinations thereof.In some cases, frame 132 may include the operating system of mobile device 102.One In a little situations, frame 132 manages the access to cipher key store.In these or other cases, EMM client 122, browser 124, Enterprise can access the certificate in cipher key store 134 using 126 by frame 132.
Cipher key store 134 indicate can be configured as storage for access corporate resources certificate application, using collection, it is soft Part, software module, hardware or combinations thereof.In some cases, EMM client 122 can will be received from EMM server 140 Certificate after signature is stored in cipher key store 134.In some cases, cipher key store 134 can be a part of trust region (TZ).TZ It is to execute safely, is configured as operating environment being isolated with the generation operating system of mobile device.TZ may include one group can For executing the security extension of safety operation.Safety operation can be in TZ with the execution of higher security level.It is executed in TZ The example of safety operation may include generating certificate, request certificate, more new authentication etc..In some cases, at using hardware The safety for managing device to realize TZ to provide additional.
Browser 124 indicate can be configured as access website application, using collection, software, software module, hardware or its Combination.In some cases, browser 124 meets 2.0 standard of security assertion markup language (SAML).In some cases, clear The accessible enterprise web site of device 124 is look to obtain corporate resources.
Enterprise using 126 indicate can be executed SP at enterprises service and access corporate resources using, using collect, it is soft Part, software module or combinations thereof.Enterprise is using the e-mail applications that 126 example includes for enterprise account, enterprise document Sharing application, enterprise development tool and third party software service (SaaS) SaaS application.
In some cases, can only for be authorized to corporate resources application (for example, browser 124 and enterprise Using 126) the previously described certificate of regulation.Therefore, it is asked if it is the application other than browser 124 and enterprise apply 126 Book is solved, then the request may be rejected.In some cases, EMM client 122 can be used white list come regulation authorization money Source.White list may include the list of application for being authorized to request certificate.In some cases, EMM client 122 can be used black List carrys out regulation authorization resources.Blacklist may include the list of application of unauthorized request certificate.In some cases, white list Or blacklist can be managed by frame 132.Frame 132 can check white list or blacklist before license request certificate.? Under some cases, container (such as KNOX working space container or ANDROID work management configuration file container) can be used Provide the application being authorized to.
In some cases, it can be determined by IDP 150, EMM server 140, SP 130 or combinations thereof for certificate Defined application.EMM client 122 can receive regulation from EMM server 140 and instruct and regulation correspondingly be arranged (provision)。
In some cases, enterprise's money is accessed from SP 130 using (for example, browser 124 or enterprise apply 126) request Source.Using can to IDP 150 send certification request.IDP 150 can send authentication challenge to application.Using packet can be sent Include the authentication response of the certificate for accessing corporate resources.IDP 150 can carry out certificate authenticating and sending authorization token To application.Using authorization token can be transmitted to SP 130 to access corporate resources.Fig. 2-4 and associated description provide These additional details realized.
As shown in Figure 1, example communication system includes cordless communication network 110.Cordless communication network 110 may include one Or multiple radio access networks (RAN), core network (CN) and external network.RAN may include one or more radio Access technology.In some implementations, radio access technologies can be global system for mobile communications (GSM), Interim Standard 95 (IS-95), Universal Mobile Telecommunications System (UMTS), CDMA2000 (CDMA), evolved universal mobile communication system (UMTS), Long term evolution (LTE) or LTE are advanced.In some cases, core network can be evolution block core (EPC).
RAN is a part for realizing the radio telecommunications system of radio access technologies, such as UMTS, CDMA2000,3GPP LTE and 3GPP LTE-A.In numerous applications, RAN includes at least one base station.Base station can be radio base station, can be with All or at least some radio-related functions in the fixed part of control system.It base station can be in its overlay area or needle It is communicated to radio interface is provided in the cell of mobile device 102.Base station can be distributed in entire cellular network, to mention For extensive overlay area.Base station directly with one or more mobile devices, other base stations and one or more core network section Point communication.Why not base station in office can operate in Tong wireless communication technique.Example wireless technology includes global mobile communication System (GSM), Universal Mobile Telecommunications System (UMTS), 3GPP long term evolution (LTE), advanced LTE (LTE-A), WiMAX are logical Letter technology etc..Example wireless wide-band communication system includes 802.11 WLAN of IEEE, IEEE 802.16WiMAX network Deng.
General description is gone to, mobile device (for example, mobile device 102) can be referred to as mobile electronic device, Yong Hushe Standby, movement station, subscriber station, portable electronic device, mobile communication equipment, radio modem or wireless terminal.Movement is set The example of standby (for example, mobile device 102) may include cellular phone, personal digital assistant (PDA), smart phone, on knee Computer, tablet personal computer (PC), pager, portable computer, portable gaming device, wearable electronic or Person has other mobile communication equipments of the component for transmitting voice or data via cordless communication network.Cordless communication network It may include in licensed spectrum and exempting from the Radio Link at least one of licensed spectrum.Term " mobile device " can also refer to In generation, can terminate any hardware or component software of the communication session of user.In addition, term " user apparatus ", " UE ", " user's dress Install standby ", " user agent ", " UA ", " user equipment " and " mobile device " synonymous can use herein.
Fig. 2 is the flow chart for showing the instantiation procedure 200 for accessing corporate resources.Process 200 can be by accessing enterprise Any kind of system or module of resource are realized.For example, process 200 can by mobile device 102, SP 130, IDP 150 or A combination thereof realizes, as shown in Figure 1.As shown in Fig. 2, example process 200 also can be used it is additional, less or different To realize, these operations can in the order shown or be executed in different order for operation.
Instantiation procedure 200 starts from 202, wherein sending the access request to corporate resources.For example, access request can be Request to enterprises service.In some cases, as shown in Fig. 2, access request can be sent out by the browser 124 in mobile device It send.Alternatively or in combination, access request can be sent by the enterprise in mobile device using 126.In some cases, such as It is previously discussed as, access is defined to the entity (for example, browser 124 or enterprise apply 126) for sending access request The authorization of corporate resources.In some cases, as shown in Fig. 2, access request, which is sent to, provides enterprises service and management enterprise The SP 130 of resource.For example, access request can be Simple Object Access Protocol (SOAP) message or hypertext transfer protocol (HTTP) representative state shifts (REST) message.
At 204, in response to access request, certification request is sent from SP 130 to browser 124.Browser 124 will be recognized Card request is forwarded to IDP 150.In some cases, in response to the certification request of forwarding can be presented in browser 124 with The associated webpage of IDP 150.
In some cases, browser 124 can initiate certification in the case where no 130 SP of access in advance.For example, Browser 124 can skip step 202, and as the response to access request, generate certification request rather than from SP 130 Receive certification request.Browser 124 can send IDP 150 for the certification request of generation.For example, certification request can be HTTP message or HTTP safety (HTTPS) message.
At 206, IDP 150 sends authentication challenge to browser 124.In some cases, authentication challenge includes verification The request of book.In some cases, Transport Layer Security (TLS) Handshake Protocol can be used and send authentication challenge.
At 208, browser 124 sends authentication response to IDP 150 in response to authentication challenge.In some cases, may be used To use Transport Layer Security (TLS) Handshake Protocol to send authentication response.
In some cases, authentication response includes certificate.For example, authentication response may include being received by EMM client 122 Certificate, for example, as previously discussed in Fig. 1 and associated description.In some cases, browser 124 can visit Ask the cipher key store (cipher key store 134 of example as shown in figure 1) in mobile device 102 to retrieve certificate.In some cases, only for quilt The application of authorization access corporate resources defines certificate.In these or other cases, cipher key store, the operating system of mobile device Or combinations thereof can determine whether browser 124 is authorized to use certificate.If browser 124 is authorized to, browser can be with Retrieve certificate.If browser 124 is uncommitted, searcher can be prevented, and browser 124 cannot use certificate next life At authentication response.
In some cases, authentication response can not include the Service Ticket (such as username and password) of user's input. In these or other cases, authentication response can be generated and send it to IDP 150 without user's interaction.This method Accelerate verification process.
In some cases, IDP 150 can send the second certification request to browser 124.Second certification request can be with Including the request to Service Ticket.In these or other cases, user interface can be exported on the mobile apparatus.User can be with Voucher, such as username and password or some other second factor credentials are provided.Browser 124 can send the second certification and ring It answers.Second authentication response may include Service Ticket.The method can provide additional safety in verification process.In some feelings Under condition, EMM server can specify that whether IDP 150 requests Service Ticket.
In some cases, it includes the certificate in authentication response that certification, which may include verifying,.Verification process can be by IDP 150, EMM server, a combination thereof or it can be used for executing any other entity of authentication calculations to execute.In one example, it demonstrate,proves Book can be signed with the private cipher key of IDP 150.Therefore, IDP 150 can be to verify certificate by verifying the signature of certificate No is believable.
In some cases, other than verifying certificate, IDP 150 can also determine whether user or mobile device are awarded Power access corporate resources.It, can will information associated with certificate during the generation of certificate for example, as discussed previously (for example, user information, mobile device information or combinations thereof) is sent to IDP 150.Therefore, IDP 150 can check user or Whether mobile device is authorized to corporate resources.In some cases, user or mobile device may lose authorization.One In a example, user can be the preceding employee for losing authorization.In another example, mobile device may be no longer authorized to, because It does not meet the security strategy of enterprise's setting.In these or other cases, IDP 150 can determine user or mobile device not It is verified.
In some cases, the state of EMM server tracks User and mobile device.For example, EMM client can monitor Mobile device simultaneously reports any safety problem, such as Malware to EMM server.In some cases, if there is any Safety problem and user or mobile device are no longer authorized to, then EMM server can update IDP 150.Alternatively or group Ground is closed, IDP 150 can inquire the state of user or mobile device to EMM server and correspondingly verifying user or movement are set It is standby.
In some cases, as discussed previously, authentication response may include user credential.In these or other situation Under, user credential can be verified to determine whether user is authorized to.Verifying can be held by IDP 150, EMM server or combinations thereof Row.
At 210, authorization token is sent browser 124 by IDP 150.In some cases, in response to browser 124 Certification and send authorization token.In some cases, authorization token may include user name, authentication state or combinations thereof.Recognize Card state can indicate that certification is success or failure.For example, if any verification process discussed above is (for example, certificate is tested Card, user or mobile device verifying or user credential verifying) it is unsuccessful, then failure can be set by authentication state.If institute There is verification process all successful, then can set success for authentication state.
In some cases, authorization token can be signed with the private cipher key of IDP 150.In some cases, warrant Board can be formatted as security assertion markup language (SAML) statement or OpenID connection ID token.SAML statement can not wrap Include the key information for certification.For example, SAML statement can not include key holder master when SP does not support SAML to state Topic confirmation field.
At 212, authorization token is sent SP 130 by browser 124.In some cases, browser 124 can make Authorization token is sent with post order.SP 130 can determine that browser 124 is based on the authentication state in authorization token It is no to be authorized to corporate resources.In some cases, as discussed previously, authorization token can be privately owned with IDP 150 Key signature.In these or other cases, the public keys of IDP 150 can be used to verify on authorization token in SP 130 Signature.
At 214, if authentication state instruction authenticates successfully, as shown in Fig. 2, SP 130 can be provided to browser 124 access is to access corporate resources.If authentication state indicates that authentification failure, SP 130 can be refused to browser 124 Access.
Fig. 3 is the block diagram for showing example mobile device 300.Shown equipment 300 includes processing unit 302, computer-readable Storage medium 304 (for example, ROM or flash memory), radio communication subsystem 306, user interface 308 and I/O interface 310.
Processing unit 302 may include one or more processing components (or be known as " processor " or " central processing list Member " (CPU)), it is configured as executing and herein in conjunction with process, step described in one or more implementations disclosed herein The relevant instruction of one or more of rapid or movement.In some implementations, processing unit 302 can be configured as generation control Information (such as measurement report), or response received information (such as control information from network node).Processing unit 302 can be additionally configured to carry out provided for radio resources management (RRM) decision, such as cell selection/reselection information or triggering measurement Report.Processing unit 302 can also include other accessory parts, such as random access memory (RAM) and read-only memory (ROM).Computer readable storage medium 304 can store equipment 300 operating system (OS) and for execute the above process, Various other computer executable instructions, logic or the software program of one or more of step or movement.In some cases Under, computer readable storage medium 304 can be temporary, nonvolatile or combinations thereof.
Radio communication subsystem 306 can be configured as voice, data and/or the control letter provided for processing unit 302 Breath provides wireless communication.Radio communication subsystem 306 may include for example one or more antenna, receiver, transmitter, local Oscillator, frequency mixer and Digital Signal Processing (DSP) unit.In some implementations, subsystem 306 can support multi input how defeated (MIMO) is transmitted out.In some implementations, the receiver in radio communication subsystem 306 can be Advanced receivers or baseline connects Receive device.Two receivers can be realized with identical, similar or different receiver Processing Algorithm.
User interface 308 may include such as screen or touch screen (for example, liquid crystal display (LCD), active display (LED), one or more of organic light emitting display (OLED), MEMS (MEMS) display), keyboard or small key Disk, trace ball, loudspeaker and microphone.I/O interface 310 may include such as universal serial bus (USB) interface.
Fig. 4 is the flow chart for showing the exemplary method 400 for accessing corporate resources.Method 400 can be by accessing enterprise Any kind of system or module of resource are realized.For example, method 400 can the mobile device 102 as shown in Fig. 1 realize. As shown in figure 4, additional, less or different operation can be used also to realize in exemplary method 400, these operations can be with Shown in sequence or be executed in different order.
Method 400 starts from 402, wherein taking at enterprise mobility management (EMM) client on the mobile apparatus from EMM Business device receives the certificate for accessing corporate resources.In some cases, EMM client can be generated for accessing corporate resources Key pair, and by sent to EMM server include public keys generated Certificate Signature Request (CSR) come from EMM Server signed after certificate.At 404, the application in slave mobile device sends certification request to Identity Provider.? Under some cases, certification sound is sent in response to determining that application is prescribed using the certificate of enterprise associated with corporate resources It answers.In some cases, request is sent using to the ISP for providing enterprises service for enterprise.In these cases, it rings Certification request should be received from ISP in access request.Alternatively or additionally, it is provided in response to application access identity Person and initiate certification request.At 406, in response to certification request, authentication challenge is received from Identity Provider.Authentication challenge includes Certificate request.At 408, in response to authentication challenge, authentication response is sent from application.Authentication response includes certificate.In some feelings Under condition, in response to authentication response, the second certification request for being used for Service Ticket is received.In response to the second certification request, the is sent Two authentication responses.Second authentication response includes and applies associated Service Ticket.At 410, receives and award from Identity Provider Weigh token.Whether authorization token instruction Identity Provider demonstrates certificate and mobile device.
Some themes described in this specification and operation can be realized in Fundamental Digital Circuit, or soft in computer It is realized in part, firmware or hardware, including structure disclosed in this specification and its equivalent structures or one or more Combination.Some themes described in this specification can be implemented as one or more computer programs, i.e. computer program instructions One or more modules, encode in computer storage medium, for by data processing equipment execute or control data Manage the operation of device.Computer storage medium can be or may include in computer readable storage devices, computer-readable deposit Store up substrate, at random or in the combination of serial access memory array or equipment or one or more of which.Though in addition, Right computer storage medium is not the signal propagated, but computer storage medium can be with manually generated transmitting signal volume The source or destination of the computer program instructions of code.Computer storage medium is also possible to or is included in one or more individual In physical assemblies or medium (for example, multiple CD, disk or other storage equipment).
Term " data processing equipment " includes all types of devices, equipment and the machine for handling data, including example Such as programmable processor, computer, system on chip or above-mentioned multiple or combination.The apparatus may include special logic electricity Road, such as FPGA (field programmable gate array) or ASIC (specific integrated circuit).In addition to hardware, which can also wrap The code that performing environment is created for the computer program discussed is included, for example, constituting processor firmware, protocol stack, data depositary management The combined code of reason system, operating system, cross-platform runtime environment, virtual machine or in which one or more.
Computer program (also referred to as program, software, software application, script or code) can use any type of programming language Speech is write, including compiling or interpretative code, statement or procedural language.Computer program can with but do not need to correspond in file system File.Program can store in a part of file for saving other programs or data (for example, being stored in markup language text Shelves in one or more scripts), be exclusively used in the single file of the program or multiple coordination files (for example, storage one or The file of a part of multiple modules, subprogram or code) in.Can with deploying computer programs on a computer or On a website or it is distributed on multiple websites and is executed on the multiple computers for passing through interconnection of telecommunication network.
Some processes described in this specification and logic flow can be by one of the one or more computer programs of execution Or multiple programmable processors execute, to execute movement by being operated to input data and generating output.It process and patrols Collecting stream can also be executed by dedicated logic circuit, and device also can be implemented as dedicated logic circuit, such as FPGA (scene can Program gate array) or ASIC (specific integrated circuit).
As an example, the processor for being adapted for carrying out computer program includes general and special microprocessor and any The processor of the digital computer of type.Refer in general, processor will be received from read-only memory, random access memory or both Order and data.Computer may include one or more storages of the processor and store instruction and data according to instruction execution movement Device equipment.Computer can also include or be operatively coupled to set from one or more massive stores for storing data Standby (such as disk, magneto-optic disk or CD) receives data or transmits data, or both to it and have both.But computer is not required to Want such equipment.Equipment suitable for storing computer program instructions and data includes the non-volatile memories of form of ownership Device, medium and memory devices, including such as semiconductor memory devices (for example, EPROM, EEPROM, flash memory device), magnetic Disk (for example, internal hard drive, moveable magnetic disc etc.), magneto-optic disk, CD ROM and DVD-ROM disk.In some cases, processor and Memory by supplemented or can be incorporated in dedicated logic circuit.
In order to provide the interaction with user, can have for showing the display equipment of information (for example, monitoring to user Device or other kinds of display equipment) and user can by its to computer provide input keyboard and indicating equipment (example Such as, mouse, trace ball, tablet computer, touch sensitive screen or other kinds of indicating equipment) computer on realize operation.Other The equipment of type can also be used for providing the interaction with user;For example, the feedback for being supplied to user may be any type of feeling Feedback, such as visual feedback, audio feedback or touch feedback;And input from the user can be received in any form, is wrapped Include acoustics, voice or tactile input.In addition, computer can send document by the equipment used to user and use from user Equipment receive document interacted with user;For example, by response to being sent to use from the received request of web browser by webpage Web browser on the client device at family.
Computer system may include it is single calculate equipment, or nearby or with being generally remote from each other operating each other and Usually pass through multiple computers of communication network interaction.The example of communication network includes local area network (" LAN ") and wide area network (" WAN "), internet (for example, internet), the network including satellite link and peer-to-peer network are (for example, self-organizing peer-to-peer network Network).The relationship of client and server can be by means of running and each other with client-server on the respective computers The computer program of relationship and generate.
Although this specification include many details, these details be not necessarily to be construed as to can claimed range limit System, but the description of distinctive feature as a specific example.It can also combine in the context being implemented separately in this specification Described in some features.On the contrary, the various features described in the context individually realized can also be in various embodiments Individually or with any suitable sub-portfolio realize.
Similarly, although depicting operation in the accompanying drawings with particular order, this is not construed as requiring these Operation particular order shown in executes in order, or executes all operations shown, to realize desired result.One In a little situations, multitask and parallel processing be may be advantageous.In addition, the separation of the various system components in above-mentioned realization is not answered It is understood to require this separation in all realizations, and it should be understood that described program assembly and system usually may be used To be integrated in single software product or be packaged into various software product.
In addition, without departing from the scope of the disclosure, being described and illustrated as discrete or separation in various implementations Technology, system, subsystem and method can combine with other systems, module, techniques or methods or integrated.It shows or discusses and be Discussed as coupled or directly coupled or communication sundry item can through some interfaces, equipment or intermediate module (it is either electrical, Mechanical or other modes) INDIRECT COUPLING or communication.Those skilled in the art can determine that other of change, replacement and change show Example, and can be changed, replace and change in the case where not departing from spirit and scope disclosed herein.
It has been shown although being discussed in detail above, be described and pointed out the substantially novel of the disclosure applied to various realizations Feature, but it is to be understood that those skilled in the art can form to shown system and details carry out it is various omit, replacement and Change, without departing from the intention of the disclosure.In addition, the sequence of method and step is not the sequence occurred in the claims by them To imply.

Claims (20)

1. a kind of method, comprising:
Providing for accessing enterprise from EMM server is received at enterprise mobility management EMM client on the mobile apparatus The certificate in source;
Certification request is sent to Identity Provider from the application in the mobile device;
In response to the certification request, authentication challenge is received from the Identity Provider, wherein the authentication challenge includes certificate Request;
From the application and in response to the authentication challenge, authentication response is sent, wherein the authentication response includes the card Book;And
Authorization token is received from the Identity Provider, wherein the authorization token indicates whether the Identity Provider demonstrates The certificate and the mobile device.
2. according to the method described in claim 1, further include:
Before sending the authentication response, it is determined whether define described using institute associated with the corporate resources State the certificate of enterprise;And
The authentication response is wherein sent to be in response to define the application in determination.
3. according to the method described in claim 1, further include:
Access is sent to the ISP for providing enterprises service for the enterprise from the application in the mobile device to ask It asks;And
In response to the access request, the certification request is received.
4. according to the method described in claim 1, wherein in response to the Identity Provider as described in the application access, described in initiation Certification request.
5. according to the method described in claim 1, wherein transmitting the certification according to Transport Layer Security (TLS) Handshake Protocol It addresses inquires to and the authentication response.
6. according to the method described in claim 1, wherein the certificate is stored in the key of a part as trusted domain (TZ) In library.
7. according to the method described in claim 1, further include:
In response to the authentication response, the second certification request for being directed to Service Ticket is received;And
The second authentication response is sent in response to second certification request, wherein second authentication response includes and the application Associated Service Ticket.
8. according to the method described in claim 1, wherein the application includes at least one of enterprise's application or browser.
9. a kind of mobile device, comprising:
Memory;And
At least one hardware processor is communicatively coupled and is configured as with the memory:
Providing for accessing enterprise from EMM server is received at enterprise mobility management EMM client on the mobile apparatus The certificate in source;
Certification request is sent to Identity Provider from the application in the mobile device;
In response to the certification request, authentication challenge is received from the Identity Provider, wherein the authentication challenge includes certificate Request;
From the application and in response to the authentication challenge, authentication response is sent, wherein the authentication response includes the card Book;And
Authorization token is received from the Identity Provider, wherein the authorization token indicates whether the Identity Provider demonstrates The certificate and the mobile device.
10. mobile device according to claim 9, wherein at least one described hardware processor is also configured to
Before sending the authentication response, it is determined whether define described using institute associated with the corporate resources State the certificate of enterprise;And
The authentication response is wherein sent to be in response to define the application in determination.
11. mobile device according to claim 9, wherein at least one described hardware processor is also configured to
Access is sent to the ISP for providing enterprises service for the enterprise from the application in the mobile device to ask It asks;And
In response to the access request, the certification request is received.
12. mobile device according to claim 9, wherein in response to the Identity Provider as described in the application access, hair Play the certification request.
13. mobile device according to claim 9, wherein according to Transport Layer Security (TLS) Handshake Protocol to transmit State authentication challenge and the authentication response.
14. mobile device according to claim 9, wherein the certificate is stored in a part as trusted domain (TZ) In cipher key store.
15. mobile device according to claim 9, wherein at least one described hardware processor is also configured to
In response to the authentication response, the second certification request for being directed to Service Ticket is received;And
The second authentication response is sent in response to second certification request, wherein second authentication response includes and the application Associated Service Ticket.
16. mobile device according to claim 9, wherein the application includes at least one in enterprise's application or browser It is a.
17. a kind of non-transitory computer-readable medium comprising instruction, described instruction makes to calculate equipment execution when executed Including operation below:
Providing for accessing enterprise from EMM server is received at enterprise mobility management EMM client on the mobile apparatus The certificate in source;
Certification request is sent to Identity Provider from the application in the mobile device;
In response to the certification request, authentication challenge is received from the Identity Provider, wherein the authentication challenge includes certificate Request;
From the application and in response to the authentication challenge, authentication response is sent, wherein the authentication response includes the card Book;And
Authorization token is received from the Identity Provider, wherein the authorization token indicates whether the Identity Provider demonstrates The certificate and the mobile device.
18. non-transitory computer-readable medium according to claim 17, wherein the operation further include:
Before sending the authentication response, it is determined whether define described using institute associated with the corporate resources State the certificate of enterprise;And
The authentication response is wherein sent to be in response to define the application in determination.
19. non-transitory computer-readable medium according to claim 17, wherein the operation further include:
Access is sent to the ISP for providing enterprises service for the enterprise from the application in the mobile device to ask It asks;And
In response to the access request, the certification request is received.
20. non-transitory computer-readable medium according to claim 17, wherein in response to by the application access institute Identity Provider is stated, the certification request is initiated.
CN201780024479.4A 2016-03-03 2017-02-27 Accessing enterprise resources Active CN109076075B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US15/060,466 2016-03-03
US15/060,466 US10305885B2 (en) 2016-03-03 2016-03-03 Accessing enterprise resources using provisioned certificates
PCT/US2017/019596 WO2017151464A1 (en) 2016-03-03 2017-02-27 Accessing enterprise resources

Publications (2)

Publication Number Publication Date
CN109076075A true CN109076075A (en) 2018-12-21
CN109076075B CN109076075B (en) 2021-11-09

Family

ID=58264643

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201780024479.4A Active CN109076075B (en) 2016-03-03 2017-02-27 Accessing enterprise resources

Country Status (4)

Country Link
US (1) US10305885B2 (en)
EP (1) EP3408994B1 (en)
CN (1) CN109076075B (en)
WO (1) WO2017151464A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111259363A (en) * 2020-01-19 2020-06-09 数字广东网络建设有限公司 Service access information processing method, system, device, equipment and storage medium
CN112769549A (en) * 2020-12-29 2021-05-07 苏宁消费金融有限公司 Cache-based visual certificate upgrading method and system
CN112997462A (en) * 2019-10-15 2021-06-18 谷歌有限责任公司 System and method for protecting data
CN114073040A (en) * 2019-08-05 2022-02-18 万事达卡国际公司 Secure server client interaction
CN115336231A (en) * 2020-03-23 2022-11-11 微软技术许可有限责任公司 Device provisioning using supplemental cryptographic identities

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6680022B2 (en) * 2016-03-18 2020-04-15 株式会社リコー Information processing apparatus, information processing system, information processing method, and program
US10516653B2 (en) 2016-06-29 2019-12-24 Airwatch, Llc Public key pinning for private networks
US11165591B2 (en) * 2016-09-08 2021-11-02 Cable Television Laboratories, Inc. System and method for a dynamic-PKI for a social certificate authority
US10587582B2 (en) 2017-05-15 2020-03-10 Vmware, Inc Certificate pinning by a tunnel endpoint
US10447486B2 (en) * 2017-07-19 2019-10-15 Spyrus, Inc. Remote attestation of a security module's assurance level
US10355864B2 (en) 2017-08-29 2019-07-16 Citrix Systems, Inc. Policy based authentication
EP3861795A1 (en) * 2018-11-15 2021-08-11 Huawei Technologies Co., Ltd. Automatic digital identification system integrated between consumer devices and backend services
WO2020124420A1 (en) * 2018-12-19 2020-06-25 Citrix Systems, Inc. Scenario based multiple applications on-screen
US11329990B2 (en) * 2019-05-17 2022-05-10 Imprivata, Inc. Delayed and provisional user authentication for medical devices
CN111416822B (en) * 2020-03-20 2022-10-18 数篷科技(深圳)有限公司 Method for access control, electronic device and storage medium
US11032270B1 (en) * 2020-04-07 2021-06-08 Cyberark Software Ltd. Secure provisioning and validation of access tokens in network environments
US10965674B1 (en) 2020-06-08 2021-03-30 Cyberark Software Ltd. Security protection against threats to network identity providers
CN114666147A (en) * 2022-03-31 2022-06-24 深信服科技股份有限公司 Identity authentication method, device, equipment and readable storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040003008A1 (en) * 1995-04-03 2004-01-01 Wasilewski Anthony J. Method for partially encrypting program data
US20100064134A1 (en) * 2005-12-23 2010-03-11 Gross Thomas R Secure identity management
CN102047709A (en) * 2008-06-02 2011-05-04 微软公司 Trusted device-specific authentication
US20130346745A1 (en) * 2010-12-22 2013-12-26 Mobile Iron, Inc. Management of certificates for mobile devices
CN103942684A (en) * 2014-04-25 2014-07-23 天地融科技股份有限公司 Data security interactive system
US9191381B1 (en) * 2011-08-25 2015-11-17 Symantec Corporation Strong authentication via a federated identity protocol
CN105187372A (en) * 2015-06-09 2015-12-23 深圳市腾讯计算机系统有限公司 Method for data processing based on mobile application entrance, device and system

Family Cites Families (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7187772B2 (en) * 2001-08-31 2007-03-06 Hewlett-Packard Development Company, L.P. Anonymous transactions based on distributed processing
DE602005017050D1 (en) 2004-08-24 2009-11-19 Gemalto Sa PERSONAL TOKEN AND METHOD FOR CONTROLLED AUTHENTICATION
US8590027B2 (en) 2007-02-05 2013-11-19 Red Hat, Inc. Secure authentication in browser redirection authentication schemes
WO2009074709A1 (en) 2007-12-10 2009-06-18 Nokia Corporation Authentication arrangement
CN102668501B (en) 2009-10-15 2015-12-09 交互数字专利控股公司 Produce based on the registration of service of subscribing to and voucher for accessing
US8549300B1 (en) 2010-02-23 2013-10-01 Juniper Networks, Inc. Virtual single sign-on for certificate-protected resources
US9032473B2 (en) 2010-03-02 2015-05-12 Interdigital Patent Holdings, Inc. Migration of credentials and/or domains between trusted hardware subscription modules
US10064974B2 (en) * 2011-01-31 2018-09-04 Thomas Gerber Silicic acid condensates having a low degree of cross-linking in a polymer matrix
CA2835349C (en) * 2011-02-15 2017-02-28 Research In Motion Limited System and method for identity management for mobile devices
WO2012123727A1 (en) * 2011-03-11 2012-09-20 Callsign, Inc Personal identity control
US8955078B2 (en) 2011-06-30 2015-02-10 Cable Television Laboratories, Inc. Zero sign-on authentication
US8850187B2 (en) * 2012-05-17 2014-09-30 Cable Television Laboratories, Inc. Subscriber certificate provisioning
US9690920B2 (en) 2012-08-30 2017-06-27 International Business Machines Corporation Secure configuration catalog of trusted identity providers
US8935808B2 (en) 2012-12-18 2015-01-13 Bank Of America Corporation Identity attribute exchange and validation broker
US9286465B1 (en) * 2012-12-31 2016-03-15 Emc Corporation Method and apparatus for federated single sign on using authentication broker
US8893230B2 (en) 2013-02-22 2014-11-18 Duo Security, Inc. System and method for proxying federated authentication protocols
US20140379584A1 (en) * 2013-06-25 2014-12-25 FraudFree Finance, LLC Anti-fraud financial transaction method
WO2015013412A1 (en) * 2013-07-23 2015-01-29 Azuki Systems, Inc. Media client device authentication using hardware root of trust
FR3021177B1 (en) * 2014-05-14 2016-06-10 Evidian METHOD FOR MANAGING USER ACCOUNTS IN A HOSTED APPLICATION
US9749310B2 (en) * 2015-03-27 2017-08-29 Intel Corporation Technologies for authentication and single-sign-on using device security assertions
US10187374B2 (en) * 2015-10-29 2019-01-22 Airwatch Llc Multi-factor authentication for managed applications using single sign-on technology

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040003008A1 (en) * 1995-04-03 2004-01-01 Wasilewski Anthony J. Method for partially encrypting program data
US20100064134A1 (en) * 2005-12-23 2010-03-11 Gross Thomas R Secure identity management
CN102047709A (en) * 2008-06-02 2011-05-04 微软公司 Trusted device-specific authentication
US20130346745A1 (en) * 2010-12-22 2013-12-26 Mobile Iron, Inc. Management of certificates for mobile devices
US9191381B1 (en) * 2011-08-25 2015-11-17 Symantec Corporation Strong authentication via a federated identity protocol
CN103942684A (en) * 2014-04-25 2014-07-23 天地融科技股份有限公司 Data security interactive system
CN105187372A (en) * 2015-06-09 2015-12-23 深圳市腾讯计算机系统有限公司 Method for data processing based on mobile application entrance, device and system

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114073040A (en) * 2019-08-05 2022-02-18 万事达卡国际公司 Secure server client interaction
CN114073040B (en) * 2019-08-05 2023-12-05 万事达卡国际公司 Method for secure server client interaction, computing device, and server
CN112997462A (en) * 2019-10-15 2021-06-18 谷歌有限责任公司 System and method for protecting data
CN112997462B (en) * 2019-10-15 2022-11-22 谷歌有限责任公司 System and method for protecting data
CN111259363A (en) * 2020-01-19 2020-06-09 数字广东网络建设有限公司 Service access information processing method, system, device, equipment and storage medium
CN115336231A (en) * 2020-03-23 2022-11-11 微软技术许可有限责任公司 Device provisioning using supplemental cryptographic identities
CN112769549A (en) * 2020-12-29 2021-05-07 苏宁消费金融有限公司 Cache-based visual certificate upgrading method and system

Also Published As

Publication number Publication date
US10305885B2 (en) 2019-05-28
CN109076075B (en) 2021-11-09
WO2017151464A1 (en) 2017-09-08
EP3408994B1 (en) 2019-10-30
US20170257360A1 (en) 2017-09-07
EP3408994A1 (en) 2018-12-05

Similar Documents

Publication Publication Date Title
CN109076075A (en) Access corporate resources
US20200304492A1 (en) Authentication of a Client Device Based on Entropy from a Server or Other Device
US9973489B2 (en) Providing virtualized private network tunnels
TWI510108B (en) Method and apparatus for trusted federated identity management and data access authorization
US8914845B2 (en) Providing virtualized private network tunnels
EP3364629B1 (en) Providing virtualized private network tunnels
EP3162103B1 (en) Enterprise authentication via third party authentication support
CN107425980B (en) Communication between workspaces
EP3337125B1 (en) Authenticating for an enterprise service
EP3163490B1 (en) Providing security assurance information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant